Summary
Home Assistant apps (formerly add-ons) configured with host network mode expose unauthenticated endpoints bound to the internal Docker bridge interface to the local network. On Linux, this configuration does not restrict access to the app as intended, allowing any device on the same network to reach these endpoints without authentication.
Severity
Critical
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Vulnerability details
- Vulnerability Type: CWE-923: Improper Restriction of Communication Channel to Intended Endpoints
- Affected Component: Home Assistant Operating System, Home Assistant Supervisor
- Affected Versions: Home Assistant Operating System 17.1 / Home Assistant Supervisor 2026.03.1
- Fixed Versions: Home Assistant Supervisor 2026.03.2
Description
It is a common pattern in Home Assistant Apps to configure the container with host network mode while binding an unauthenticated management or API endpoint to the internal Docker bridge interface hassio created by Supervisor (172.30.32.0/23, and if IPv6 is enabled, which is the default for new installations, fd0c:ac1e:2100::/48), often for the purposes of Home Assistant facilitated ingress. The assumption is that this binding restricts access to inter-container communication only.
On Linux, this assumption is incorrect. When host network mode is enabled, the container shares the host's network namespace. With Docker's default firewall configuration, packets destined for the bridge interface address are not restricted to local containers, meaning any attacker who can route suitable packets to the host can reach these endpoints directly. This effectively bypasses all authentication and exposes full API access to unauthenticated network attackers.
The root cause lies in the Home Assistant Operating System and Supervisor, which do not configure firewall rules to restrict access to the Docker bridge interface from the local network. Apps have been developed under the reasonable assumption that endpoints bound to the internal bridge interface are not externally reachable, but the OS/Supervisor does not enforce this assumption at the firewall level.
This is a systemic architectural issue affecting multiple Apps that follow this pattern.
Confirmed impacted Home Assistant apps
| App |
Exposed |
Notes |
| Advanced SSH & Web Terminal |
Full shell access (via http) |
No authentication required |
| Music Assistant |
WebSocket API |
User impersonation via ingress headers |
| Matter Server |
WebSocket API |
|
Additional Apps using the same pattern may also be affected.
Attack scenario
- The attacker has access to the same local network as the Home Assistant instance (e.g., via Wi-Fi, compromised IoT device, or guest network).
- The attacker identifies the Home Assistant host IP on the network (e.g., via mDNS resolution of
homeassistant.local).
- The attacker adds a host route for the Docker bridge IP (172.30.32.1 or fd0c:ac1e:2100::1) via the Home Assistant host IP, making the internal bridge interface reachable from their machine.
- The attacker connects directly to the unauthenticated endpoint on the bridge interface (e.g.,
ws://172.30.32.1:8094/ws).
- The endpoint responds without requiring any authentication, granting the attacker full access to the App's functionality.
Prerequisites
- The attacker must be able to route packets destined for the Docker bridge interface address to the Home Assistant host. The most common scenario to achieve this is a device on the same broadcast domain.
Recommended mitigations
- Add firewall rules (e.g., iptables/nftables) at the OS/Supervisor level to restrict access to the Docker bridge interface, ensuring only local containers can reach bridge-bound endpoints.
- Audit all existing Apps for unauthenticated endpoints that rely on bridge-level isolation.
- Ensure Apps with host network mode cannot have their internal endpoints reached from the local network.
Applied mitigation
The Home Assistant Supervisor fix (2026.03.2) applies firewall rules on the host via systemd, protecting all installations regardless of Home Assistant OS version. A future OS release is planned to include the fix at the Docker engine level, which is architecturally more appropriate as Docker already manages all other firewall rules for the bridge network.
Acknowledgements
Discovered by Artur Pragacz.
References
arturpragacz Finder
Summary
Home Assistant apps (formerly add-ons) configured with host network mode expose unauthenticated endpoints bound to the internal Docker bridge interface to the local network. On Linux, this configuration does not restrict access to the app as intended, allowing any device on the same network to reach these endpoints without authentication.
Severity
Critical
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Vulnerability details
Description
It is a common pattern in Home Assistant Apps to configure the container with host network mode while binding an unauthenticated management or API endpoint to the internal Docker bridge interface
hassiocreated by Supervisor (172.30.32.0/23, and if IPv6 is enabled, which is the default for new installations, fd0c:ac1e:2100::/48), often for the purposes of Home Assistant facilitated ingress. The assumption is that this binding restricts access to inter-container communication only.On Linux, this assumption is incorrect. When host network mode is enabled, the container shares the host's network namespace. With Docker's default firewall configuration, packets destined for the bridge interface address are not restricted to local containers, meaning any attacker who can route suitable packets to the host can reach these endpoints directly. This effectively bypasses all authentication and exposes full API access to unauthenticated network attackers.
The root cause lies in the Home Assistant Operating System and Supervisor, which do not configure firewall rules to restrict access to the Docker bridge interface from the local network. Apps have been developed under the reasonable assumption that endpoints bound to the internal bridge interface are not externally reachable, but the OS/Supervisor does not enforce this assumption at the firewall level.
This is a systemic architectural issue affecting multiple Apps that follow this pattern.
Confirmed impacted Home Assistant apps
Additional Apps using the same pattern may also be affected.
Attack scenario
homeassistant.local).ws://172.30.32.1:8094/ws).Prerequisites
Recommended mitigations
Applied mitigation
The Home Assistant Supervisor fix (2026.03.2) applies firewall rules on the host via systemd, protecting all installations regardless of Home Assistant OS version. A future OS release is planned to include the fix at the Docker engine level, which is architecturally more appropriate as Docker already manages all other firewall rules for the bridge network.
Acknowledgements
Discovered by Artur Pragacz.
References